Slashdot Mirror

← Back to Stories (view on slashdot.org)

10,000-website Strong Malware Maze Created by Criminals

Posted by Zonk on from the i'm-sure-you'll-come-out-fine dept.

Stony Stevenson passed us an ITnews article about the newest scam in online crime. Some 10,000 web pages have been rigged by IT-minded criminals, with the aim of hijacking unsuspecting PCs. The site reports that the users are redirected through a maze of malware, all with the goal of gaining access to personal user information. "The reprogrammed web pages are probably victims of an automated attack that included scanning the internet for unsecured servers and planting a piece of JavaScript code that redirects to a site in China to serve up the malware. The malware cocktail attempts to exploit vulnerabilities in Windows, RealPlayer and other applications to break into the PC. A back door also allows the subsequent installation of additional malicious programs. McAfee Avert Labs first spotted the attack on 12 March. 'Of the 10,000 pages that were compromised a number have already been cleaned up,' the firm stated."

8 of 118 comments (clear)

  1. more informative article here by esocid · · Score: 3, Informative
    The name for the rootkit is random js toolkit which seems pretty uninventive to me.

    The random js attack is performed by dynamic embedding of scripts into a Web page. It provides a random filename that can only be accessed once.
    So does the infected computer then inject something into websites the user visits or is that done by whoever designed this little rootkit?
    --
    Absolute power corrupts absolutely. indymedia
  2. Re:Including Slashdot? by Anonymous Coward · · Score: 2, Informative

    > In addition to sandboxing, browsers should ship with NoScript or equivalent functionality built-in.

    You mean like all the browsers of the Mozilla series do? NoScript is just a GUI exposing the Mozilla Security Policies, which have been available via prefs.js since ever. An older one is "Policy Manager" , and the lack of a GUI is even a long term Bugzilla entry.

    And yes, the NoScript guys intentionally create the impression that their work is something new.

  3. Re:It's called a hosts file by Se7enLC · · Score: 3, Informative

    This was the information that should have been included in the article. A link to the McAfee Avert Labs Blog:

    http://www.avertlabs.com/research/blog/index.php/2008/03/12/another-mass-attack-underway/

  4. Re:Including Slashdot? by MttJocy · · Score: 2, Informative

    If you read TFA not very slashdot I know, but it does say that several of the sites were what would normally be considered trusted and thus could likely end up on such a whitelist so it would hardly protect you against situations like this where trusted websites have been owned by a malware attack themselves.

  5. can anyone tell me the checksum of the code? by 3seas · · Score: 5, Informative

    I discovered my site had a directory and just under 2500 pages added to it. The directory and file dates are January 9th 08 and every one of the html files has the same script code in it. My research turned up indication of two mass site hacks in January.

    A google search for threeseas.net/blogger/log/cache/ (cache being the directory that contained the files [past tense]) shows up about 4500 site pointing to one of the files in that directory. Some of the findings are even sourceforge sites and you can tell they have been hacked as well. In other words there are a lot of hacked sites besides mine.

    I notified google this morning and my host has already removed the files from my site as the owner and group were set that I couldn't do this myself.

    anyways rather that posting the code, a check sum would be better of the code starting with teh word "function" to the end of the code.

    1. Re:can anyone tell me the checksum of the code? by element-o.p. · · Score: 3, Informative
      From TFA:

      Signaturing a dynamic script is not effective. Signaturing the exploiting code itself is also not effective, since these exploits are changing continually to stay ahead of current zero-day threats and available patches.

      Sounds like it would be rather difficult to get a checksum for you, sorry.
      --
      MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
  6. Re:Oblig. by Anonymous Coward · · Score: 1, Informative

    IT'S OVER NINE THOUSAND! is a meme started from the annie may Dragon Ball Z, where characters would use scouters to detect power levels. It was cuntpasted many a time for the win. No topic goes without it. It's worth noting that in the original man gay, Vegeta noted Goku's power level as being "over 8000", "9000" is a product of Funimation Faggotry.

    From: http://www.encyclopediadramatica.com/9000

  7. Re:The Question Webmasters Have Is... by Uncle+Op · · Score: 2, Informative

    The Register offered one way to see the list:

          http://www.theregister.co.uk/2008/03/13/trend_micro_website_infected/

    The list is over 23,000 pages:

          http://www.l.google.com/search?hl=en&q=%22script+src%3Dhttp%3A%2F%2Fwww.2117966.net%2Ffuckjp.js%22&btnG=Google+Search&aq=f

    I haven't counted the Google-provided list. In theory some of those sites/pages have already been cleaned up, and they are reported 'cuz that was the last time Google spidered them.